LLMNR/NBT-NS Poisoning

LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) poisoning are types of attacks that target how devices on a network identify and communicate with each other by name.

In simple terms, these protocols are used by devices to find each other when they don’t know each other’s IP address. An attacker can trick devices into thinking the attacker’s machine is the one they’re trying to reach. This allows the attacker to intercept sensitive information, like login credentials, or redirect network traffic for malicious purposes.

---

Tool

We can use one of the following tool:

• Responder
• Inveigh

---

Linux

Step 1: sudo responder -I tun0
Step 2: Wait for the target to send an LLMNR/NBT-NS request...
Step 3: Responder will capture the request and respond with the attacker's machine as the destination.
Step 4: If authentication is required, Responder will capture the hashed credentials.
Step 5: Use tool like hashcat or john to crack the captured hash.

Windows

Step 1:

Import-Module .\Inveigh.ps1
(Get-Command Invoke-Inveigh).Parameters # https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters

Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

Step 2: Wait for the target to send an LLMNR/NBT-NS request...
Step 3: Inveigh will capture the request and respond with the attacker's machine as the destination.
Step 4: If authentication is required, Inveigh will capture the hashed credentials.
Step 5: Use tool like hashcat or john to crack the captured hash

tip

Inveigh.exe also exists as the original version, but it is no longer maintained.